From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 79573 invoked by alias); 18 Feb 2018 19:43:47 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 79557 invoked by uid 89); 18 Feb 2018 19:43:47 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=1.5 required=5.0 tests=AWL,BAYES_50,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS autolearn=no version=3.3.2 spammy=Editor, threat, W10, w10 X-HELO: mout.perfora.net Received: from mout.perfora.net (HELO mout.perfora.net) (74.208.4.196) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Sun, 18 Feb 2018 19:43:45 +0000 Received: from [192.168.1.109] ([24.18.200.169]) by mrelay.perfora.net (mreueus002 [74.208.5.2]) with ESMTPSA (Nemesis) id 0LwHJA-1eiMPg38rW-01868U for ; Sun, 18 Feb 2018 20:43:43 +0100 Subject: Re: W10 Mandatory ASLR default To: cygwin@cygwin.com References: <8297ddf5-5d06-c2b1-526b-16ca311749aa@ferzkopp.net> <20180212164945.GA2361@jbsupah> <890bb1f3-65b3-b9d8-fdaa-bb148cce4163@towo.net> <327030c8-7dfa-8e57-eb70-45e890f8aac2@SystematicSw.ab.ca> From: Andreas Schiffler Message-ID: <1a6ccf95-02ea-067c-82e6-54646face0ba@ferzkopp.net> Date: Sun, 18 Feb 2018 19:43:00 -0000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <327030c8-7dfa-8e57-eb70-45e890f8aac2@SystematicSw.ab.ca> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-UI-Out-Filterresults: notjunk:1;V01:K0:TF+K04k3JzY=:76L6FG8dsFozHo3PpaX5Pc nrXsDPuWSDtVrYZn/F5FxqyZMbVno0rljbr77HtbiBnQ2i3uTdOwvlANzYhAVJw0zAqitothJ ABUO3k/y2zcpeOTE4jiYhSAQ0wViSDxZr8sRaGCn6uFjXk5We/Gs7Lb2NJKK1QkwIebX2SZcH qY/OBV2femsnKO83LKSkem1HqOfxiYwScme8tl/rGDUQm9OhMMxW/X3fPUuRryLUhtQKDmSzi OBJ36DZZ/W5cY5HISfFgJJaD/fyxlKo6ptjk5sXQNR0s0aAItzZv4GXiL1YuP/IFxgbzEoG3m wAy71mQe4G6cFrsbexz9lPdJ99UAe67ywcZM6Lwh60oEl6EEGlHROi/6tbBKMg16EbwW9WyxK 0VCEt4iHdMJswU1EtjezPQxUDCAa+n9puZCvX8ukxe//Ui8DdfQNfR86IFA8ja4w65HGf35Hv Z1VR+tZl2D20cLx+2C4MUwLZcvzJVPzz2uNSIPtfhQx1qmzi7RPEss1LVMy8E6GEavo3l1BRK LHMbS8SQao+psFs7bUi6inc9A4BzX7Bn2oTMn9KoRk3i52yRZVitZIlRYdTGxMgl5vyIQTrHK UjpNlWsJa96DHe0EsoyNSpJbbVl6U875ssK/3T1BVdPvh5/BhSpJuz6xjb6kO3H3FKFQIgrjb CkqTGbwkT90Jz0Z/GCAQnLeRGFhKIrV8mJJSCOK0tEQJz1cxVwY2cGqL3mqbuT105RSfjxuLe ilKjCDtuXLfVMiTwmQz4iiECJXgAr21T9dIuGuLO/4zQB4yFJS5EDKg/oRs= X-IsSubscribed: yes X-SW-Source: 2018-02/txt/msg00194.txt.bz2 I'd say add a check and post a warning would the best solution. A setup script shouldn't modify a users security setup, and even if the script were to reset the settings they wouldn't be active until after a reboot. On 2/15/2018 10:41 PM, Brian Inglis wrote: > On 2018-02-14 00:36, Andreas Schiffler wrote: >> On 2/13/2018 11:17 PM, Thomas Wolff wrote: >>> Am 14.02.2018 um 04:25 schrieb Brian Inglis: >>>> On 2018-02-12 21:58, Andreas Schiffler wrote: >>>>> Found the workaround (read: not really a solution as it leaves the system >>>>> vulnerable, but it unblocks cygwin) >>>>> - Go to Windows Defender Security Center - Exploit protection settings >>>>> - Disable System Settings - Force randomization for images (Mandatory ASLR) and >>>>> Randomize memory allocations (Bottom-up ASLR) from "On by default" to "Off by >>>>> default" >>>>> >>>>> Now setup.exe works and can rebase everything; after that Cygwin Terminal >>>>> starts as a working shell without problems. >>>>> @cygwin dev's - It seems one of the windows updates (system is on 1709 build >>>>> 16299.214) might have changed my ASLR settings to "system wide mandatory" (i.e. >>>>> see >>>>> https://blogs.technet.microsoft.com/srd/2017/11/21/clarifying-the-behavior-of-mandatory-aslr/ >>>>> for info) so that the cygwin DLLs don't work correctly anymore (i.e. see old >>>>> thread about this topic here >>>>> https://www.cygwin.com/ml/cygwin/2013-06/msg00092.html). >>>>> It would be good to devize a test for the setup.exe that >>>>> checks the registry (likely >>>>> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]) >>>>> for this state and alerts the user. >>>> I'm on W10 Home 1709/16299.192 (slightly older). >>>> Under Windows Defender Security Center/App & browser control/Exploit >>>> protection/Exploit protection settings/System settings/Force randomization for >>>> images (Mandatory ASLR) - "Force relocation of images not compiled with >>>> /DYNAMICBASE" is "Off by default", whereas Randomize memory allocations >>>> (Bottom-up ASLR) - "Randomize locations for virtual memory allocations." and all >>>> other settings are "On by default". >>>> Under Windows Defender Security Center/App & browser control/Exploit >>>> protection/Exploit protection settings/Program settings various .exes have 0-2 >>>> system overrides of settings. >>>> It would be nice if one of the project volunteers with Windows threat mitigation >>>> knowledge could look at these, to see if there is a better approach. >>> I guess Andreas' suggestion is confirmed by >>> https://github.com/mintty/wsltty/issues/6#issuecomment-361281467 >> Here is the registry state: >> Mandatory ASLR off >> Windows Registry Editor Version 5.00 >> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel] >> "MitigationOptions"=hex:00,02,22,00,00,00,00,00,00,00,00,00,00,00,00,00 >> Mandatory ASLR on >> Windows Registry Editor Version 5.00 >> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel] >> "MitigationOptions"=hex:00,01,21,00,00,00,00,00,00,00,00,00,00,00,00,00 > Could setup be updated to reset Mandatory ASLR if the reg keys exist, or an > /etc/postinstall/[0z]p_disable_mandatory_aslr.sh script do a check and reset? > -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple